Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Cryptography Module © Discuss Cryptographic Security Techniques Cryptography Flow O Discuss Various Cryptographic Algorithms / Discuss Various Hash Functions and Cryptography Tools Discuss PKI and Certificate Management Concepts Discuss Other Applications of Cryptography Discuss PKI and Certificate Mlanagement Concepts This section deals with public key infrastructure (PKI) and the role of each component of PKI, and certification authorities. Module 14 Page 1686 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Digital Signature QO Digital signatures use the asymmetric key algorithms to ’;‘:“';:“ e provide data integrity b the message and u;::tuvelo N T........... e O A specific signature function is added to the asymmetric algorithm at the sender’s side to digitally sign the message Message b and a specific verification function is added to verify the signature to ensure message integrity at the recipient side QO The asymmetric algorithms that support these two functions c,,,“,,m,. S Itis then verified using the hash code of the message, the "«N;'e"f::"fl:z*;:: public key of sender, and the verification function s..... g Message | D Q Adigital signature is created using the hash code of the message, the private key of the sender, and the signature function N g - Sender selects a publicand verification; the hash value of the message is used instead of the message itself for better performance a Confidential — o Q Dpigitally signing messages slows the performance of during Al 4 :.4 are called digital signature algorithms Q Sender e Private Key e m— Message Containingthe Digital Signature lb(d msmng Hash Code m0010 Hash Code Message Containing the mn m Digital Signature Confidential = muxo 100 Hash Code ’ ' fid Message Digital Signature A digital signature is a cryptographic means of authentication. Public-key cryptography uses asymmetric encryption and helps the user to create a digital signature. A specific signature function is added to the asymmetric algorithm at the sender's side to digitally sign the message and a specific verification function is added to verify the signature to Module 14 Page 1687 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography ensure message integrity at the recipient side. The asymmetric algorithms that support these two functions are called digital signature algorithms. Claz Private Key E : e : H Message Digital Signature v ¥ Confidential Message Containingthe » Hashing 001011 101110 I Hash Code Algorithm | » E £ ‘ Confidential Message - a [ Signature Function Hash Code Figure 14.19: Creating a digital signature at the sender side Class Public Ke Message Containingthe - Digital Signature Confidential = Message =~ fi Hash Code Y v ’ 001011 ‘ 101110 Hashing Algorithm.= a ‘ Confidential Verification Hash Code 2 Message Function Figure 14.20: Verifying a digital signature at the recipient side A hash function is an algorithm which helps users to create and verify digital signatures. This algorithm creates a digital representation, also known as a message fingerprint. This fingerprint has a hash value that is much smaller than the message, but one that is unique. If an attacker changes the message, the hash function will automatically produce a different hash value. In order to verify a digital signature, one requires the hash value of the original message and the hash function used for creating the digital signature. With the help of the public key and the new result, the verifier checks whether the digital signature was created with the related private key and whether the new hash value is the same as the original or not. Digitally signing messages slows the performance of during verification; the hash value of the message is used instead of the message itself for better performance. Module 14 Page 1688 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography Exam 212-82 Sender uses the private key to sign" Private Key the message and sends M the message and signature to - = a receiver Confidential Message —_— 10010010 Sender Hash Code : | T= : Sender selects a public and » private key and sends the : public key to the receiver Public Key Do X3 @ Y Confidential Message IIIIIIII..IIIIII) Receiver verifies the signature using the public key and then reads the message H Receiver - 10010010 Hash Code Figure 14.21: Working of Digital Signature Module 14 Page 1689 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography Exam 212-82 Key Exchange through Digital Envelopes O Digitalen T secretkey “ ('Y C77) S— >[=0]"....... ===\ Encryption ot 77 envelope Oigital " Encrypted secret key Digtal envelope..i, £ e - Encrypted sacretkey [— > ee— e \N ) — =\, Decryption e e, Random secret ey " Recipient’s private key Recipient's public key Copyright © by All Rights Reserved. Reproduction Is Strictly Prohibited. Key Exchange through Digital Envelopes Digital envelopes are created to prevent the exposure of digital files or data to external entities instead of the intended recipient. The symmetric key algorithm is generally used for encrypting/decrypting large amounts of data, but sharing the secret keys is a complex process. The asymmetric key algorithm can make this procedure easy, but it can encrypt/decrypt only a limited amount of data. To overcome these restrictions and improve security, the digital envelope system is used, which encapsulates both secret keys and the data within. To generate a digital envelope, the sender must obtain the public key belonging to the recipient. The public key can be obtained based on the PKI implementation of the organization. The process of key exchange through digital envelopes is as follows. Client A generates a new symmetric key (known as randomly generated secret key) and uses it to encrypt a message. Client A uses Client B’s public key to encrypt this symmetric key. The encrypted message and secret key are both placed under a single packet known as a digital envelope and transferred to Client B. Module 14 Page 1690 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography v - 2 Message Encryption Encrypted message ", M "'. SR.A '~.... secretkey., 4 [EB).n [0}. e = Encryption ‘“ "..-7 Digital envelope 1T Encrypted secret key Recipient's public key Figure 14.22: Generating a digital envelope On the receiving end, Client B uses their private key to decrypt the symmetric key. Using the symmetric key, Client B then decrypts the original message. The digital envelope facilitates the secure exchange of the symmetric key between both parties through public key cryptography, which is also known as the hybrid encryption model. n sy gkmessage T Digital envelope *.., *e, ‘Al =0 pus Encrypted secret key.-----.n-..) ---.----..------). Decryption >| il., Message., Lo’ 4 | — -\ Decryption & Random secret key e, '-‘ Recipient’s private key Figure 14.23: Extracting the key from a digital envelope Module 14 Page 1691 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.